我正在尝试通过 Kerberos/SPNEGO 在我的应用程序中集成 SSO,如此处所述 https://docs.spring.io/spring-security-kerberos/docs/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#样本-sec-服务器-win-auth
我的 context.xml 看起来像这样:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="kerberosAuthenticationProvider"/>
<sec:authentication-provider ref="kerberosServiceAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
<property name="kerberosClient">
<bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
<property name="debug" value="true"/>
</bean>
</property>
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
<bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
<property name="debug" value="true"/>
</bean>
<bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint">
<constructor-arg value="/login"/>
</bean>
<bean id="spnegoAuthenticationProcessingFilter"
class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="kerberosServiceAuthenticationProvider"
class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
<property name="ticketValidator">
<bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}" />
<property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}" />
<property name="debug" value="true" />
<property name="holdOnToGSSContext" value="true"/>
</bean>
</property>
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="kerberosLdapContextSource" class="org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource">
<constructor-arg value="${myapp.ldap.ldapServerUrl}"/>
<property name="loginConfig">
<bean class="org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig">
<property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}"/>
<property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}"/>
<property name="debug" value="true"/>
<property name="isInitiator" value="true"/>
<property name="useTicketCache" value="true"/>
</bean>
</property>
</bean>
<sec:ldap-user-service id="ldapUserDetailsService" server-ref="kerberosLdapContextSource"
user-search-filter="(| (userPrincipalName={0}) (sAMAccountName={0}))" />
</beans>
当显式打开登录表单并输入 AD 凭据时,我可以访问应用程序的秘密部分(因此它似乎通常有效)。
当我尝试在没有先前显式登录的情况下访问秘密部分(例如 /myapp/administration)时,我收到一个 BadCredentialsException ,其中包含“上下文启动器的 GSSContext 名称为空。”
2018-05-11 16:10:07,578 [http-apr-8080-exec-3] WARN org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YHcG(...)==
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:173)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
我认为异常表示从客户端发送回 Kerberos 的 TGT 已修改/未按预期进行,因此客户端不被认为是值得信赖的接收服务票证。但我不太确定这是否正确。
那么...我错过了什么?
我遇到了同样的问题,因为我使用了无效的密钥表文件。尝试替换它并检查您的密钥表创建过程。